In the response from the server a comment can be found which contains the link where the flag might be.

1

2

3

admin/index.php

The request type is “GET” and it has one parameter named “url”.

1

2

3

/index.php?url=websiteToVisit

The value of the “url” parameter is filtered. The server doesn’t accept words such as “php”, “//”, “127.0.0.1”, “58.229.183.24” as values. If the value sent to the server matches one of the words above the following message is retrieved as response:

After a little research I found out that it can be possible to use the other three representations of an IP. I made a script that transforms an IP in DWORD, HEXA and OCTAL representations and below is our way to bypass IP.

But there was one more problem: how to bypass the word “php”. The solution was simple. I used it plenty of times to bypass XSS filteres: I used double URL encoding to write the world “php” as “%2570hp” or “ph%2570”, etc.
Knowing how to bypass the filter in the backend I’ve made the following value which I inserted in the url parameter.

AS it can be seen, only a part of the response was revealed, only 2 lines.
So I verified if it is possible to insert other parameters in the request header. I tried with “%0d%0a” and it worked.
So I attached to my url the following: